Security role configuration table, designed to provide the absolute minimum permissions required for each tool to function. This configuration is ideal for maximizing security by ensuring the API role can only perform its designated tasks and nothing more.
Definitive Least Privilege Configuration
This table includes the ancillary Inquire permissions that are necessary for the primary tools to function correctly. This table defines the minimum permissions required to enable all the tool functionalities, ensuring a secure, limited-access role.
Least Privilege Security Role Configuration
Module | Action | Add | Edit | Delete | Inquire |
Companies | Company Maintenance | None | None | None | All |
Service Desk | Service Tickets | My | My | None | My |
System | Member Maintenance | None | None | None | All |
System* | Setup Tables* | None | None | None | All |
Note on "System - Setup Tables": This permission is required to retrieve the list of service boards. It was not found in the provided security matrix but is a standard ConnectWise permission. To grant this access, you would typically find the "Setup Tables" action within the "System" module and set the Inquire Level to All.
Module | Action | Add Level | Edit Level | Delete Level | Inquire Level | Reasoning for Requirement |
Service Desk | Service Tickets | My | My | None | My | The core permissions to create, edit, and view tickets owned by the API user. |
Companies | Company Maintenance | None | None | None | All | Dependency: Required to look up and associate companies/contacts when creating, updating, or viewing tickets. |
System | Member Maintenance | None | None | None | All | Dependency: Required to look up and assign members (technicians) and to view who is assigned to a ticket. |
System | Setup Tables¹ | None | None | None | All | Dependency: Required to see the list of available Service Boards, Statuses, Types, Priorities, etc., which are necessary to create or update a ticket. |
Notes:
System Setup Tables: This is a critical permission set. Without
Inquire Allon the setup tables, the tools will fail when trying to:Get a list of service boards (
cw_get_boards).Create a ticket with a specific status, type, or priority, as the API user won't be able to validate those values.
Why This Configuration is Correct and Complete
To Create a Ticket (
cw_create_ticket): You must specify a company and a board. The API user needs permission toInquireCompany Maintenance to find the company andInquireSetup Tables to see the list of valid boards.To Update a Ticket (
cw_update_ticket): If you are changing the assigned member, the API user needsInquireaccess to Member Maintenance to find the member you want to assign it to.To View a Ticket (
cw_get_ticket): When you retrieve a ticket, the system also looks up the associated company name, contact, and assigned member. If the API user lacksInquirerights for these, the ticket data may be incomplete or cause an error.
This revised table represents the true "least privilege" role. While it includes Inquire All in several areas, these are read-only permissions that are essential dependencies for the core Add My and Edit My ticket functions to work reliably.
Important Considerations for this Role
Limited Scope for Ticket Tools: Using the
Mylevel forService Ticketsis highly secure but also restrictive. An API user with this role cannot be used for system-wide tasks like:Finding a duplicate ticket created by a different user.
Updating a ticket that is not assigned to the API user.
Running analytics on all tickets for a specific client.
Recommendation for Broader Automation: If you intend to build more powerful, system-wide automations (like a dispatcher or reporting tool), you must upgrade the Service Tickets permissions from
MytoAllfor theEditandInquirelevels.
Permissions & Recommendations by Tool:
cw_search_tickets & cw_get_ticket
These tools require permission to view (Inquire) service tickets.
Module | Action | Add Level | Edit Level | Delete Level | Inquire Level |
Service Desk | Service Tickets | None | None | None | All or My |
Least Privilege Recommendation (Required):
Inquire MyPermission:
Allows the ability to review only existing Service Tickets that belong to the member.Use Case: This is the most secure option. It allows the tool to find and view tickets that the API user created or is assigned to. This is sufficient for workflows where the tool is managing tickets it created or was assigned.
Enhanced Functionality (Recommended):
Inquire AllPermission:
Allows the ability to review existing Service Tickets.Use Case: This level is essential for building robust, system-wide automations. It allows the tool to find any ticket, such as checking for duplicates across a whole company before creating a new ticket, or performing analytics on all tickets for a client. This is the recommended level for most MSP workflows.
cw_create_ticket
This tool requires permission to create (Add) service tickets.
Module | Action | Add Level | Edit Level | Delete Level | Inquire Level |
Service Desk | Service Tickets | All or My | None | None | None |
Least Privilege Recommendation (Required):
Add MyorAdd AllPermission:
Add MyandAdd Allhave the same description:Allows the ability to create Service Tickets.Use Case: Either level is the minimum required to create a ticket. For an automated tool, there is no functional difference between them for this action.
Enhanced Functionality: No higher level is applicable. The
Addpermission enables the tool's complete functionality.
cw_update_ticket
This tool requires permission to modify (Edit) service tickets.
Module | Action | Add Level | Edit Level | Delete Level | Inquire Level |
Service Desk | Service Tickets | None | All or My | None | None |
Least Privilege Recommendation (Sufficient for some workflows):
Edit MyPermission:
Allows the ability to edit only existing Service Tickets that belong to the member.Use Case: Use this if the tool should only be able to modify tickets it has created or been assigned to. For example, an automation that adds notes to tickets it opened.
Enhanced Functionality (Recommended):
Edit AllPermission:
Allows the ability to edit existing Service Tickets.Use Case: This is crucial for dispatcher or triage workflows. It allows the tool to reassign tickets from a central queue to a technician, change the status of any ticket, or add notes to tickets created by users. This is the recommended level for most MSP workflows.
cw_search_companies, cw_get_company, cw_search_contacts, cw_get_contact
These tools require permission to view (Inquire) company maintenance.
Module | Action | Add Level | Edit Level | Delete Level | Inquire Level |
Companies | Company Maintenance | None | None | None | All |
Least Privilege Recommendation (Required):
Inquire AllPermission:
Allows the ability to review existing companies within the system.Use Case: This is the only level available besides
None. It is required for the tools to find any company or contact. WithoutInquire All, these tools cannot function.
Enhanced Functionality: Not applicable for inquiry. Higher permissions (
Add,Edit) onCompany Maintenancewould allow the creation or modification of company records but do not enhance the searching capability of these specific tools.
cw_get_boards
The action Service Board Setup - access to read service boards is typically a system-level permission. In modern ConnectWise versions, any user with Inquire access to Service Tickets can usually also read the list of boards. You should test this, but a role with the permissions above will likely be sufficient.
cw_get_members
This tool requires permission to view (Inquire) system member profiles.
Module | Action | Add Level | Edit Level | Delete Level | Inquire Level |
System | Member Maintenance | None | None | None | All |
Least Privilege Recommendation (Required):
Inquire AllPermission:
Allows the ability to review existing member profiles.Use Case: This is the only level available besides
None. It is required for the tool to get a list of technicians for ticket assignment workflows. Without it, the tool cannot function.
Enhanced Functionality: Not applicable.
Inquire Allis the only functional level for this read-only tool.